Overview

overview

10

Static

static

1

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240611-en
  • resource tags

    arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03-07-2024 08:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ddeeff4e5314374020eec0588d404cbd6ffd20ebf828bc81e9b0816def71232f.exe

  • Size

    5.9MB

  • MD5

    048aee0544f6faf502419b571a053980

  • SHA1

    047c0fb760c3af3b0a1e741bd808858090dd70bf

  • SHA256

    ddeeff4e5314374020eec0588d404cbd6ffd20ebf828bc81e9b0816def71232f

  • SHA512

    4fa292dade05bfc568ba6a39f129bdf88e59486faadebd64f2488fac79893c49b95c1bd7a606afae5e2add7cfece62554aa6d0e5ebd9f4eb75ba20dd462e8940

  • SSDEEP

    98304:jYBYLosS6pvT7gIit3r648uaK9hobG/c70C0LRaFS:cBYLNS6pvT76t3r6bJK9hobZEVp

Score
10/10
stealcvidarspywarestealer

Malware Config

Extracted

Family

vidar

C2

https://t.me/bu77un

https://steamcommunity.com/profiles/76561199730044335
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1

Signatures

  • Detect Vidar Stealer 5 IoCs
    stealer
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 3 IoCs
  • Program crash 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ddeeff4e5314374020eec0588d404cbd6ffd20ebf828bc81e9b0816def71232f.exe
    "C:\Users\Admin\AppData\Local\Temp\ddeeff4e5314374020eec0588d404cbd6ffd20ebf828bc81e9b0816def71232f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1124
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
        PID:4616
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        2⤵
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4564
        • C:\ProgramData\JEGHJDGIJE.exe
          "C:\ProgramData\JEGHJDGIJE.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1788
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            4⤵
              PID:1940
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 292
              4⤵
              • Program crash
              PID:4492
          • C:\ProgramData\AAAKEBGDAF.exe
            "C:\ProgramData\AAAKEBGDAF.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:4364
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              4⤵
                PID:1888
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 320
                4⤵
                • Program crash
                PID:2760
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\EGCGHCBKFCFB" & exit
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4124
              • C:\Windows\SysWOW64\timeout.exe
                timeout /t 10
                4⤵
                • Delays execution with timeout.exe
                PID:4176
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1788 -ip 1788
          1⤵
            PID:4260
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4364 -ip 4364
            1⤵
              PID:1092

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Initial Access

            Execution

            Persistence

            Privilege Escalation

            Defense Evasion

            Credential Access

            Unsecured Credentials

            1
            T1552

            Credentials In Files

            1
            T1552.001

            Discovery

            Query Registry

            1
            T1012

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Exfiltration

            Command and Control

            Impact

            Resource Development

            Reconnaissance

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\AAAKEBGDAF.exe
              Filesize

              937KB

              MD5

              168c5908924803d268d26965c32a5620

              SHA1

              9e0e2dc9c7e931c4ee860c32d83711c433f7b1a3

              SHA256

              2fd72d0d0fbc053a53adee5d9ec6cffde3fb5a3c6ba0c0490e24552b264d5449

              SHA512

              749f0e4da8d6fde35b53e769b0b594c2e63835f970eedc54c8c15889863811b5fb296650ae9f5e255bafdd4b942ad3434a60c48e05f1283820c378d30645f1c1

              Download Submit
            • C:\ProgramData\JEGHJDGIJE.exe
              Filesize

              516KB

              MD5

              0309dd0131150796ea99b30a62194fae

              SHA1

              2df6e334708eae810a74b844fd57e18e9fdc34cd

              SHA256

              07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35

              SHA512

              3d4e5a0718d04fee92d8040880b631107d1e23a6b3bce430d58769179af999c28b99e50c5cd45f283339f7bbb24ffacbf601a5447edb12e28da4517fbfa282e8

              Download Submit
            • memory/1124-35-0x00000000054A0000-0x00000000054B5000-memory.dmp
              Filesize

              84KB

              Download
            • memory/1124-2-0x0000000005400000-0x000000000549C000-memory.dmp
              Filesize

              624KB

              Download
            • memory/1124-4-0x0000000005660000-0x00000000057BE000-memory.dmp
              Filesize

              1.4MB

              Download
            • memory/1124-5-0x00000000054A0000-0x00000000054BC000-memory.dmp
              Filesize

              112KB

              Download
            • memory/1124-17-0x00000000054A0000-0x00000000054B5000-memory.dmp
              Filesize

              84KB

              Download
            • memory/1124-15-0x00000000054A0000-0x00000000054B5000-memory.dmp
              Filesize

              84KB

              Download
            • memory/1124-65-0x00000000054A0000-0x00000000054B5000-memory.dmp
              Filesize

              84KB

              Download
            • memory/1124-0-0x000000007462E000-0x000000007462F000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1124-1-0x0000000000340000-0x000000000091C000-memory.dmp
              Filesize

              5.9MB

              Download
            • memory/1124-70-0x0000000074620000-0x0000000074DD1000-memory.dmp
              Filesize

              7.7MB

              Download
            • memory/1124-63-0x00000000054A0000-0x00000000054B5000-memory.dmp
              Filesize

              84KB

              Download
            • memory/1124-61-0x00000000054A0000-0x00000000054B5000-memory.dmp
              Filesize

              84KB

              Download
            • memory/1124-59-0x00000000054A0000-0x00000000054B5000-memory.dmp
              Filesize

              84KB

              Download
            • memory/1124-55-0x00000000054A0000-0x00000000054B5000-memory.dmp
              Filesize

              84KB

              Download
            • memory/1124-54-0x00000000054A0000-0x00000000054B5000-memory.dmp
              Filesize

              84KB

              Download
            • memory/1124-51-0x00000000054A0000-0x00000000054B5000-memory.dmp
              Filesize

              84KB

              Download
            • memory/1124-49-0x00000000054A0000-0x00000000054B5000-memory.dmp
              Filesize

              84KB

              Download
            • memory/1124-47-0x00000000054A0000-0x00000000054B5000-memory.dmp
              Filesize

              84KB

              Download
            • memory/1124-45-0x00000000054A0000-0x00000000054B5000-memory.dmp
              Filesize

              84KB

              Download
            • memory/1124-43-0x00000000054A0000-0x00000000054B5000-memory.dmp
              Filesize

              84KB

              Download
            • memory/1124-41-0x00000000054A0000-0x00000000054B5000-memory.dmp
              Filesize

              84KB

              Download
            • memory/1124-37-0x00000000054A0000-0x00000000054B5000-memory.dmp
              Filesize

              84KB

              Download
            • memory/1124-163-0x0000000074620000-0x0000000074DD1000-memory.dmp
              Filesize

              7.7MB

              Download
            • memory/1124-3-0x0000000074620000-0x0000000074DD1000-memory.dmp
              Filesize

              7.7MB

              Download
            • memory/1124-25-0x00000000054A0000-0x00000000054B5000-memory.dmp
              Filesize

              84KB

              Download
            • memory/1124-29-0x00000000054A0000-0x00000000054B5000-memory.dmp
              Filesize

              84KB

              Download
            • memory/1124-27-0x00000000054A0000-0x00000000054B5000-memory.dmp
              Filesize

              84KB

              Download
            • memory/1124-31-0x00000000054A0000-0x00000000054B5000-memory.dmp
              Filesize

              84KB

              Download
            • memory/1124-24-0x00000000054A0000-0x00000000054B5000-memory.dmp
              Filesize

              84KB

              Download
            • memory/1124-21-0x00000000054A0000-0x00000000054B5000-memory.dmp
              Filesize

              84KB

              Download
            • memory/1124-13-0x00000000054A0000-0x00000000054B5000-memory.dmp
              Filesize

              84KB

              Download
            • memory/1124-9-0x00000000054A0000-0x00000000054B5000-memory.dmp
              Filesize

              84KB

              Download
            • memory/1124-7-0x00000000054A0000-0x00000000054B5000-memory.dmp
              Filesize

              84KB

              Download
            • memory/1124-57-0x00000000054A0000-0x00000000054B5000-memory.dmp
              Filesize

              84KB

              Download
            • memory/1124-39-0x00000000054A0000-0x00000000054B5000-memory.dmp
              Filesize

              84KB

              Download
            • memory/1124-19-0x00000000054A0000-0x00000000054B5000-memory.dmp
              Filesize

              84KB

              Download
            • memory/1124-11-0x00000000054A0000-0x00000000054B5000-memory.dmp
              Filesize

              84KB

              Download
            • memory/1124-6-0x00000000054A0000-0x00000000054B5000-memory.dmp
              Filesize

              84KB

              Download
            • memory/1124-71-0x0000000074620000-0x0000000074DD1000-memory.dmp
              Filesize

              7.7MB

              Download
            • memory/1124-33-0x00000000054A0000-0x00000000054B5000-memory.dmp
              Filesize

              84KB

              Download
            • memory/1788-144-0x0000000000FB0000-0x0000000000FB1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1940-148-0x0000000000400000-0x000000000045A000-memory.dmp
              Filesize

              360KB

              Download
            • memory/4564-86-0x0000000000400000-0x0000000000648000-memory.dmp
              Filesize

              2.3MB

              Download
            • memory/4564-72-0x0000000000400000-0x0000000000648000-memory.dmp
              Filesize

              2.3MB

              Download
            • memory/4564-66-0x0000000000400000-0x0000000000648000-memory.dmp
              Filesize

              2.3MB

              Download
            • memory/4564-68-0x0000000000400000-0x0000000000648000-memory.dmp
              Filesize

              2.3MB

              Download
            • memory/4564-164-0x0000000000400000-0x0000000000648000-memory.dmp
              Filesize

              2.3MB

              Download